b'     Department of Homeland Security\n\n     2I\xc3\x80FH\x03RI\x03,QVSHFWRU\x03*HQHUDO\n\n\n    Information Technology Management Letter for \n\n   the FY 2013 Department of Homeland Security\xe2\x80\x99s \n\n Financial Statement Audit \xe2\x80\x93 National Protection and \n\n                 Programs Directorate\n\n\n\n\n\nOIG-14-98                                     May 2014\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n\x03\n                                      May\x0328,\x032014\x03\n\x03\n\x03\nMEMORANDUM\x03FOR:\x03\x03            David\x03Epperson\x03\n                             Chief\x03Information\x03Officer\x03\n\x03\n                             Nicole\x03Windham\x03\n                             Director,\x03Budget\x03and\x03Financial\x03Administration\x03\n\x03\nFROM:\x03                       Richard\x03Harsche\x03\n                             Acting\x03Assistant\x03Inspector\x03General\x03\n                             Office\x03of\x03Information\x03Technology\x03Audits\x03\n\x03\nSUBJECT:\x03\t                   Information\x03Technology\x03Management\x03Letter\x03for\x03the\x03FY\x03\n                             2013\x03Department\x03of\x03Homeland\x03Security\xe2\x80\x99s\x03Financial\x03\n                             Statement\x03Audit\x03\xe2\x80\x93\x03National\x03Protection\x03and\x03Programs\x03\n                             Directorate\x03\n\x03\nAttached\x03for\x03your\x03information\x03is\x03our\x03final\x03report,\x03Information\x03Technology\x03Management\x03\nLetter\x03for\x03the\x03FY\x032013\x03Department\x03of\x03Homeland\x03Security\xe2\x80\x99s\x03Financial\x03Statement\x03Audit\x03\xe2\x80\x93\x03\nNational\x03Protection\x03and\x03Programs\x03Directorate.\x03This\x03report\x03contains\x03comments\x03and\x03\nrecommendations\x03related\x03to\x03information\x03technology\x03internal\x03control\x03deficiencies\x03that\x03\nwere\x03not\x03required\x03to\x03be\x03reported\x03in\x03the\x03Independent\x03Auditors\xe2\x80\x99\x03Report.\x03\n\x03\nWe\x03contracted\x03with\x03the\x03independent\x03public\x03accounting\x03firm\x03KPMG\x03LLP\x03(KPMG)\x03to\x03\nconduct\x03the\x03audit\x03of\x03Department\x03of\x03Homeland\x03Security\x03fiscal\x03year\x032013\x03consolidated\x03\nfinancial\x03statements.\x03The\x03contract\x03required\x03that\x03KPMG\x03perform\x03its\x03audit\x03according\x03to\x03\ngenerally\x03accepted\x03government\x03auditing\x03standards\x03and\x03guidance\x03from\x03the\x03Office\x03of\x03\nManagement\x03and\x03Budget\x03and\x03the\x03Government\x03Accountability\x03Office.\x03KPMG\x03is\x03\nresponsible\x03for\x03the\x03attached\x03management\x03letter\x03dated\x03March\x0311,\x032014,\x03and\x03the\x03\nconclusion\x03expressed\x03in\x03it.\x03\n\x03\nPlease\x03call\x03me\x03with\x03any\x03questions,\x03or\x03your\x03staff\x03may\x03contact\x03Sharon\x03Huiswoud,\x03Director,\x03\nInformation\x03Systems\x03Audit\x03Division,\x03at\x03(202)\x03254\xcd\xb25451.\x03\n\x03\nAttachment\x03\n\x03\n\x03\t                           \x03\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nMarch 11, 2014\n\n\nOffice of Inspector General, \n\nChief Information Officer and Chief Financial Officer,\n\nU.S. Department of Homeland Security\n\nLadies and Gentlemen:\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d), and have issued our report thereon dated December 11, 2013. In planning and\nperforming our audit of the financial statements of DHS, in accordance with auditing standards\ngenerally accepted in the United States of America and Government Auditing Standards, we considered\ninternal control over financial reporting (internal control) as a basis for designing our auditing\nprocedures for the purpose of expressing our opinion on the financial statements. In conjunction with\nour audit of the financial statements, we also performed an audit of internal control over financial\nreporting in accordance with attestation standards issued by the American Institute of Certified Public\nAccountants.\n\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nDecember 11, 2013, included internal control deficiencies identified during our audit that, in aggregate,\nrepresented a material weakness in information technology (IT) controls and financial system\nfunctionality at the DHS Department-wide level. This letter represents the separate limited distribution\nreport mentioned in that report, of matters related to the Office of Financial Management (OFM) and\nthe Office of the Chief Information Officer (OCIO).\n\nDuring our audit we noted certain matters involving internal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\ndiscussed with the appropriate members of management and communicated through Notices of\nFindings and Recommendations (NFRs), are intended to improve internal control or result in other\noperating efficiencies and are summarized as described below.\n\nWith respect to OFM\xe2\x80\x99s and OCIO\xe2\x80\x99s financial systems\xe2\x80\x99 IT controls, we noted certain matters in the\nareas of security management, access controls, and contingency planning. These matters are described\nin the General IT Control Findings and Recommendations section of this letter.\n\nDuring our audit we noted certain matters involving financial reporting internal controls (comments not\nrelated to IT) and other operational matters, including certain deficiencies in internal control that we\nconsider to be significant deficiencies and material weaknesses, and communicated them in writing to\nmanagement and those charged with governance in our Independent Auditors\xe2\x80\x99 Report and in a separate\nletter to the Office of Inspector General and the DHS Chief Financial Officer.\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cOur audit procedures are designed primarily to enable us to form an opinion on the financial statements\nand on the effectiveness of internal control over financial reporting, and therefore may not bring to\nlight all deficiencies in policies or procedures that may exist. We aim, however, to use our knowledge\nof DHS\xe2\x80\x99 organization gained during our work to make comments and suggestions that we hope will be\nuseful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThe purpose of this letter is solely to describe comments and recommendations intended to improve\ninternal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any\nother purpose.\n\nVery truly yours,\n\x0c                               Department of Homeland Security\n                          Information Technology Management Letter \n\n                         National Protection and Programs Directorate \n\n                                      September 30, 2013\n\n\n                                  TABLE OF CONTENTS\n\n                                                                          Page\nObjective, Scope, and Approach                                             2\nGeneral IT Control Findings and Recommendations                            2\nFY 2013 IT Notices of Findings and Recommendations at NPPD                 3\n\n\n\n\n                                              1\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                              National Protection and Programs Directorate \n\n                                           September 30, 2013\n\n\n                              OBJECTIVE, SCOPE, AND APPROACH\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d). In connection with our audit of the FY 2013 financial statements, we performed an\nevaluation of selected general information technology (IT) controls (GITCs) at the National Protection\nand Programs Directorate (NPPD) to assist in planning and performing our audit engagement.\nSpecifically, limited after-hours physical security testing and social engineering at select NPPD facilities\nwas conducted to identify potential control deficiencies in non-technical aspects of IT security.\n\n               GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nSummary\n\nDuring FY 2013, we continued to identify GITC weaknesses that could potentially impact NPPD\xe2\x80\x99s\nfinancial data related to controls over security management.\n\nCollectively, the IT control weaknesses limited NPPD\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these weaknesses negatively impacted the internal controls over NPPD\xe2\x80\x99s financial reporting and\nits operations.\n\nThe two IT Notices of Findings and Recommendation (NFRs) issued during our FY 2013 testing were\nrepeat findings from the prior year and represent weaknesses in the category of security management as\ndefined by the Federal Information System Controls Audit Manual, issued by the U.S. Government\nAccountability Office, which formed the basis of our GITC evaluation procedures.\n\nThese weaknesses may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and NPPD\xe2\x80\x99s financial data could be exploited, thereby compromising the integrity of NPPD\nfinancial data used by management and reported in NPPD\xe2\x80\x99s and DHS\xe2\x80\x99 financial statements.\n\nWhile the recommendations made by us should be considered by NPPD, it is the ultimate responsibility\nof NPPD management to determine the most appropriate method(s) for addressing the weaknesses\nidentified.\n\nFindings\n\nDuring our audit of the FY 2013 DHS financial statements, we identified the following NPPD GITC\ncontrol deficiencies.\n\nAfter-Hours Physical Security Testing\n\nOn August 20, 2013, we performed after-hours physical security testing to identify risks related to non-\ntechnical aspects of IT security. These non-technical IT security aspects included physical access to\nprinted or electronic media, equipment, or credentials residing within an NPPD employee\xe2\x80\x99s or\ncontractor\xe2\x80\x99s work area or shared workspaces which could be used by others to gain unauthorized access to\n\n                                                     2\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter \n\n                             National Protection and Programs Directorate \n\n                                          September 30, 2013\n\n\nsystems housing financial or other sensitive information. The testing was performed at an NPPD facility\nin Arlington, Virginia, that processes, maintains, and has access to financial data.\n\nAt this location, we observed 14 instances where unsecured or unlocked laptops and printed materials\nmarked \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d or containing sensitive personally identifiable information were\naccessible by individuals without a \xe2\x80\x9cneed to know\xe2\x80\x9d.\n\nSocial Engineering\n\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or\nallowing/enabling computer system access. The term typically applies to trickery or deception for the\npurpose of information gathering, or gaining computer system access.\n\nOn July 22, 2013, we performed social engineering testing from a DHS facility to identify risks related to\nNPPD personnel awareness of responsibilities for protecting sensitive IT information, including personal\nsystem access credentials, from disclosure to unauthorized personnel. We noted four instances where\nindividuals divulged their FFMS application account password to KPMG auditors.\n\nRecommendation\n\nWe recommend that the NPPD Office of the Chief Information Officer (OCIO) and Office of the Chief\nFinancial Officer (OCFO), in coordination with the DHS OCIO and the DHS OCFO, develop a stronger\ncompliance process to ensure employees are complying with information, physical, and privacy security\npolicies.\n\n          FY 2013 IT NOTICES OF FINDINGS AND RECOMMENDATIONS AT NPPD\n\nFY 2013 NFR #                       NFR Title                          FISCAM Control       New     Repeat\n                                                                            Area            Issue    Issue\nNPPD-IT-13-01    Security Awareness Issues Identified During          Security Management             X\n                 Social Engineering Testing at NPPD\nNPPD-IT-13-02    Security Awareness Issues Identified during After-   Security Management             X\n                 Hours Physical Security Testing at NPPD\n\n\n\n\n                                                      3\n\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'